In March this year, Zurich Insurance Plc was forced by the Information Commissioners Office (ICO) to confess publicly to the loss of 46,000 records containing customer's personal information.
The revelation came just days before the ICO acquired new powers to impose up to £500,000 payment for a data breach. But if the people at Zurich though they'd got off with a written warning and some public shame, they were wrong.
This week, the Financial Services Authority slapped a fine of £2,275,000 on Zurich for the offence -- the largest it has levied so far on a single firm for a data security failure. The fine would have been higher, at £3.35m, but Zurich qualified for a 30% reduction by agreeing to settle at an early stage of the FSA investigation. Although there was no evidence to show the lost information had been misused, the FSA took the view, in a public statement, saying "the loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary."
Zurich UK had outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Ltd. (Zurich SA). In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. Zurich UK did not learn of the incident until a year later, as there were no proper reporting lines in place for such an event.
The FSA concluded that "Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement." It added that Zurich had "failed to ensure that it had effective systems and controls to prevent the lost data being [from] used for financial crime."
Tim Holyoake, a security technologist at Germany-based Software AG, said that companies should stop transporting physical files as a matter of policy. "Why, in a digital economy, are businesses and government still using old fashioned physical means to transfer important data?" he asked. "After countless examples of lost tapes, laptops and USB sticks, it is high time that executives put a stop to this by switching to secure electronic data transfer. It's usually cheaper, too."
He said managers need to treat customer data with the same level of security as they do company cash. "A bank wouldn't take a year to notice missing money, so why is critical customer information being treated with a lower level of priority?" Holyoake said.
Ed McNair, CEO of Overtis Group Ltd., which specialises in user activity management, said that although banks may have policies in place to govern file transfers, those policies need to be enforced. "It only takes one employee to ignore best practice to create a devastating security breach," he said. "It is imperative that security policies are automatically enforced throughout the enterprise. Where a firm has outsourcing partnerships with international subsidiaries, this is absolutely critical."
In a written statement made to the ICO back in March, Zurich said it had already undertaken measures to ensure that, in any future movement of back-up tapes, appropriate encryption will be in place, staff and contractors will be required to follow procedures and effective controls will be implemented to monitor and promptly report potential or actual data loss activity.
Read more on Regulatory compliance and standard requirements
The UK has crossed the Rubicon in data protection, and regulation will only get tougher from now on, says a data protection and privacy lawyer.